0

Is there a difference in terms of security between these two models to be given to View? Ie. in the second example can a webuser/hacker access the methods in any way?

public class ObjectViewModel
  { 
   public PropertyA {get;set;}
   public PropertyB {get;set;}
   public PropertyC {get;set;}
  }



public class ObjectViewModel2
  {
   public PropertyA {get; private set;}
   public PropertyB {get; private set;}
   public PropertyC {get; private set;}

   private void SetPropertyA()
   {
      ...GetDataFromRepository();
   } 

   private void SetPropertyB()
   {
      ...GetDataFromRepository();
   } 

   private void SetPropertyC()
   {
      ...GetDataFromRepository();
   } 
}
zsharp
  • 13,656
  • 29
  • 86
  • 152

3 Answers3

4

First, the model itself is not exposed to the web browser. It's only exposed to the view rendering engine which resides on the server. You can expose access via your actions to certain properties in your model, but these are only via query or form parameters. It won't give access to the underlying methods.

Second, one thing you should know is that the default model binder requires that any properties you wish to set be available via public accessors. If you make a property with a private setter, it won't updated via the model binder.

tvanfosson
  • 524,688
  • 99
  • 697
  • 795
1

No, those methods cannot be accessed in any way via a View unless you explicitly tell it.

Unless your controller specifically exposes those methods, only properties are available via Model Binding.

Peter J
  • 57,680
  • 8
  • 38
  • 45
1

When by-passing the view engine and returning something like a Json(model) or XmlResult(model) you can expose your data. However, since your data is being serialized your view model methods no longer apply.

Community
  • 1
  • 1
Todd Smith
  • 17,084
  • 11
  • 59
  • 78